Peter Hamilton 4a3769e113 Adding dynamic operation policy loading to the KMIP server
This change adds support for dynamic operation policy loading.
The server config file now supports a 'policy_path' option that
points to a filesystem directory. Each file in the directory
should contain a JSON policy object. The KMIP server will scan
this directory and attempt to load all valid policies it finds.
The results of this process will be logged.
2016-11-10 10:39:16 -05:00

259 lines
14 KiB
Python

# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
import six
from kmip.core import enums
def read_policy_from_file(path):
with open(path, 'r') as f:
try:
policy_blob = json.loads(f.read())
except Exception as e:
raise ValueError(
"An error occurred while attempting to parse the JSON "
"file. {0}".format(e)
)
policies = dict()
for name, object_policies in six.iteritems(policy_blob):
processed_object_policies = dict()
for object_type, operation_policies in six.iteritems(object_policies):
processed_operation_policies = dict()
for operation, permission in six.iteritems(operation_policies):
try:
enum_operation = enums.Operation[operation]
except Exception:
raise ValueError(
"'{0}' is not a valid Operation value.".format(
operation
)
)
try:
enum_policy = enums.Policy[permission]
except Exception:
raise ValueError(
"'{0}' is not a valid Policy value.".format(
permission
)
)
processed_operation_policies.update([
(enum_operation, enum_policy)
])
try:
enum_type = enums.ObjectType[object_type]
except Exception:
raise ValueError(
"'{0}' is not a valid ObjectType value.".format(
object_type
)
)
processed_object_policies.update([
(enum_type, processed_operation_policies)
])
policies.update([(name, processed_object_policies)])
return policies
policies = {
'default': {
enums.ObjectType.CERTIFICATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
enums.Operation.CHECK: enums.Policy.ALLOW_ALL,
enums.Operation.GET: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_ALL,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.SYMMETRIC_KEY: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.PUBLIC_KEY: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
enums.Operation.CHECK: enums.Policy.ALLOW_ALL,
enums.Operation.GET: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_ALL,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.PRIVATE_KEY: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.SPLIT_KEY: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.TEMPLATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.SECRET_DATA: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.OPAQUE_DATA: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
},
enums.ObjectType.PGP_KEY: {
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
}
},
'public': {
enums.ObjectType.TEMPLATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
enums.Operation.GET: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
enums.Operation.ADD_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
enums.Operation.DESTROY: enums.Policy.DISALLOW_ALL
}
}
}